DEPTEX: Organization-First, Open Source Dependency Risk Monitoring

TL;DR

Deptex is a novel, organization-centric platform that combines graph analysis, semantic verification, and programmable governance to proactively manage open-source dependency risks.

Contribution

It introduces Execution Path Dominance and an 'As Code' engine for dynamic, context-aware supply chain risk management in open-source software.

Findings

Calculates true operational blast radius of vulnerabilities.

Enables enforcement of custom, dynamic compliance policies.

Shifts risk management from reactive to proactive.

Abstract

Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.